[R] R Tools Security Posture

Ivan Krylov kry|ov@r00t @end|ng |rom gm@||@com
Wed May 17 10:52:27 CEST 2023

В Tue, 16 May 2023 13:47:19 +0000
"MAJID, Ayesha \(NHS ENGLAND - X26\) via R-help" <r-help using r-project.org>

>   *   When was the application last updated?
>   *   How often is it updated?

This information is publicly available at
<https://developer.r-project.org/> by looking for "Release plans". You
can reach this page by starting at <https://www.r-project.org/> and
clicking the "Developer Pages" link. The developer pages are admittedly
harder to navigate than the main website, but I think that they could
answer some of your other questions too.

You can also obtain this information by looking for "News" under
<https://www.r-project.org/> and by checking the dates of all released
versions of R at <https://cloud.r-project.org/src/base/>.

>   *   Is the source code anywhere? If so where is

Yes, you can download release source code by following the "download R"
link at <https://www.r-project.org/>, ending up at
https://cloud.r-project.org/ (or your preferred CRAN mirror) and
clicking the link for the currently-latest version, R-4.3.0.tar.gz.

The link to the Subversion repository containing yet unreleased code
can be located at https://developer.r-project.org/.

> and is it secure?

What's the threat model?

>   *   Are there any common vulnerabilities?

What would be considered a vulnerability in a piece of software that
was never supposed to be a security boundary?

(Will R run arbitrary code typed at its prompt? Yes, by design. Is it
possible to feed maliciously-constructed data into R's unserialize()
and cause arbitrary code execution this way? Probably, but typing code
at the prompt is much easier. Can third-party R packages that start TCP
servers be convinced to run arbitrary code on attacker's behalf?
Consider that a given.)

>   *   Do your employees (e.g., developers or system administrators)
> have access to customer data?

By itself, R processes any data fed into it locally, on the computer
where it's running, without contacting R developers about it.

The same cannot be guaranteed about third-party packages, although
there are tests and reviews at both CRAN and Bioconductor in order to
prevent the packages from doing anything considered "anti-social". (See
<https://cran.r-project.org/web/packages/policies.html> for more
information on this.) A sufficiently motivated malicious actor could
circumvent them, of course, but that can be said about anything.

If someone at NHS wants to use R, they will probably want to use CRAN
and Bioconductor packages too. Potentially, they might need packages
published elsewhere as well. All these packages will have to be
reviewed separately from R, because they are maintained by different

>   *   Does R require third party authorization/connections?

No, but shouldn't you be more concerned with third-party software

(Did you mean to ask these questions at the public mailing list open
for J. Random Hackers like me to answer?)

Best regards,

More information about the R-help mailing list